Skip to content

Commit

Permalink
fix(fapi): validate ID Token's iat regardless of which channel it cam…
Browse files Browse the repository at this point in the history
…e from
  • Loading branch information
panva committed Apr 30, 2021
1 parent 0d684f4 commit b68b9ab
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 12 deletions.
24 changes: 12 additions & 12 deletions lib/client.js
Original file line number Diff line number Diff line change
Expand Up @@ -724,6 +724,8 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
});
}

const fapi = this.constructor.name === 'FAPIClient';

if (returnedBy === 'authorization') {
if (!payload.at_hash && tokenSet.access_token) {
throw new RPError({
Expand All @@ -739,19 +741,7 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
});
}

const fapi = this.constructor.name === 'FAPIClient';

if (fapi) {
if (payload.iat < timestamp - 3600) {
throw new RPError({
printf: ['JWT issued too far in the past, now %i, iat %i', timestamp, payload.iat],
now: timestamp,
tolerance: this[CLOCK_TOLERANCE],
iat: payload.iat,
jwt: idToken,
});
}

if (!payload.s_hash && (tokenSet.state || state)) {
throw new RPError({
message: 'missing required property s_hash',
Expand All @@ -773,6 +763,16 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
}
}

if (fapi && payload.iat < timestamp - 3600) {
throw new RPError({
printf: ['JWT issued too far in the past, now %i, iat %i', timestamp, payload.iat],
now: timestamp,
tolerance: this[CLOCK_TOLERANCE],
iat: payload.iat,
jwt: idToken,
});
}

if (tokenSet.access_token && payload.at_hash !== undefined) {
try {
tokenHash.validate({ claim: 'at_hash', source: 'access_token' }, payload.at_hash, tokenSet.access_token, header.alg, key && key.crv);
Expand Down
2 changes: 2 additions & 0 deletions test/client/client_instance.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -2644,9 +2644,11 @@ describe('Client', () => {
it('FAPIClient checks iat is fresh', function () {
const code = 'jHkWEdUXMU1BwAsC4vtUsZwnNvTIxEl0z9K3vx5KF0Y'; // eslint-disable-line camelcase, max-len
const c_hash = '77QmUPtjPfzWtF2AnpK9RQ'; // eslint-disable-line camelcase
const s_hash = 'LCa0a2j_xo_5m0U8HTBBNA'; // eslint-disable-line camelcase

return this.IdToken(this.keystore.get(), 'RS256', {
c_hash,
s_hash,
iss: this.issuer.issuer,
sub: 'userId',
aud: this.fapiClient.client_id,
Expand Down

0 comments on commit b68b9ab

Please sign in to comment.